Revenge

5a0e10ae96bd683e52b173210a3665c8.png

Target IP: 10.10.73.196
Challenge Description:
37226b3ded4a2c6ad3fa2b1c0a2e505b.png

9f1f7fcdfc46ba76d89204059a811caf.png
This challenge contains a downloadable text file.

7b4d211b3f7e63cea82ed34bd0f6373c.png
The content of the downloadable text file is shown above. The objective of this mission is to gain access to the web server by exploiting the web application, and deface the website.


Reconnaissance

2cac5263805114e3c943b9e12425248a.png
There are two TCP ports open on the target machine, as shown above. They are SSH and HTTP on their standard ports.

bb4d43f592147d66a60e977d8ecef274.png
Performing an aggressive port scan against the open ports returns the result above. I will start enumeration with the HTTP application on port 80.

cc6b381d153a10dcc29b29e34118c45e.png
Running whatweb against the HTTP application returns the technology used above by the target machine. It looks like the target machine is running nginx 1.14.0 as the web server.


Enumeration

Port 80: HTTP
84039b1502bf9fc3c39711085964da07.png
Browsing to the HTTP application displays the webpage above. This webpage contains some names of the owners that might come in useful in later stage. Doing a source-code review contains some useful information.

a660ac5e26faf34953be234371685c03.png
I performed a directory search and obtained the result above.

dbc7f1e12e9db61a2f9d3c3093295c70.png
Browsing to requirements.txt shows the information above. I guess the technology above is used by the target machine for this web application.

0e0accd852f4c66cee733168afebd602.png
Browsing to /products/1 page displays the webpage above. I tried changing the parameter 1 to 0, but I had no luck. This parameter is dynamic and can be used to browse the different products ranging from one to four.


Exploitation

7c535f6785a14de4c0e3eb23c7b8c507.png
Using the command sqlmap -u http://10.10.73.196/products/0, I gained the useful information above. It looks like the web application is vulnerable to blind SQL injection. The application sqlmap identified a working payload. Now I can use the --dump flag to dump the contents of the database.

6a644454a9c2c0da7bb76dd289fb79e1.png
I noticed there is one database with three tables: system_user, user, and product, as shown above. The first two tables sound interesting. Maybe the table system_user contains the admin login?

7bf051dbd23ec644f1d2195084f99b8e.png
I managed to dump the contents of the table system_user as shown above. This table contains the email, username, and password hash of three users. One particular user that stands out to me is the server-admin. Now I can crack the password hashes. Before attempting this, I wish to enumerate the user table too.

d618b94ad4a91f399ec9aec6b42bf5c1.png
The database dump of the table user is shown above. This table contains the first flag thm{br3ak1ng_4nd_3nt3r1ng} as shown above. I did not find anything useful here. Time to crack the password hashes of the users from the table system_user.

2c66f9b94e5832f257a2fbf47b2d39ad.png
I copied the password hashes of the users and stored them in a file called passwd. I ran the command cat to show the content of this file as shown above. Then using john, I attempted password cracking. I successfully managed to crack the password of the user server-admin, as shown above. Now I have the credentials server-admin:inuyasha.

989de1685f658ad61d7bc49337e817f0.png
From directory search enumeration, I found the admin webpage at /admin. Browsing to this directory displays the webpage above. I used the credentials of the user server-admin here, but I had no luck.

8ec08d6d99af49a55df848066828e1f1.png
However, I was able to use the credentials against SSH and gain access to the target machine as shown above. Now I have a foothold on the target machine as the user server-admin.


Privilege Escalation

9b8be6b3fdfa4d8a2d55cdf1d035248e.png
Running sudo -l shows the interesting commands that can be executed as the user root without password. If the config file duckyinc.service can be edited then I can obtain a root shell.

8fd963c0cf81096b6ff129b91a5d345c.png
Using the command find / -name "duckyinc.service" 2>/dev/null, I tried to identify this config file and obtained the interesting results above. I do not have the permission to overwrite this file. However, from previous image, I noticed sudoedit can be used. Maybe I can use this binary to change the config file as the user root?

88b88dc0cdcd9151527da35779ccf6ef.png
And bingo! I can modify the config file /etc/systemd/system/duckyinc.service as the user root using the binary sudoedit as shown above. To accomplish this, I used the command sudo sudoedit -u root /etc/systemd/system/duckyinc.service. The default config settings are shown above for this file.

7e4d593648065dca8d99fc6e59d0011d.png
Then I made changes to the config file as shown above. I changed the User, Group, and ExecStart lines. The ExecStart contains the bash reverse shell script to connect to my machine at port 8443. And the User and Group lines makes sure I obtain the session as user root for the reverse shell connection.

688e8cc9e325ac3c5d28b1872e2afa6e.png
I started a listener on my machine at port 8443. Then I executed the commands sudo systemctl daemon-reload and sudo systemctl restart duckyinc.service. And I obtained a root shell on port 8443. Now I have a root shell. And the last objection of this mission is to deface the website. Since I have root privileges, I can deface the HTML pages.

f8339ce462288b3dda464cfa81cc9926.png
I created the deface HTML page above on my machine.

d7e672d86c0b2967adbd225a641b314b.png
I hosted the deface index.html page on my machine using Python http.server. And I transferred this to the target machine via wget. I replaced the default index.html with my index.html deface page from the previous image. I removed the changes from the malicious /etc/systemd/system/duckyinc.service config file to invoke the reverse shell connection to my machine. Then I used the commands sudo systemctl daemon-reload and sudo systemctl restart duckyinc.service to restart the service. After making the changes, I notice the flag3.txt has appeared.

0a6ff48d898031b63bdcafae95c51ca0.png
Now browsing to http://10.10.73.196 displays my defaced webpage above. Mission accomplished. I successfully defaced the index.html.


Flags

210a4500c9d4a23494e86054c97c9e9e.png
The flag1 is shown above. This flag is located inside the user table of the duckyinc database.

607372f1973a660648959fbee59aa48d.png
The flag2 is shown above. This flag is obtainable after gaining a foothold on the target machine.

76e45796ac36c9475301612df13ffbc3.png
The flag3 is shown above. This flag is readable after defacing the index.html.